[MediaWiki-announce] MediaWiki Security and Maintenance Releases: 1.24.1, 1.23.8, 1.22.15 and 1.19.23

Markus Glaser glaser at hallowelt.biz
Wed Dec 17 21:23:39 UTC 2014


Hello everyone,

I would like to announce the release of MediaWiki 1.24.1, 1.23.8, 1.22.15 and 1.19.23. This is a regular security and maintenance release. Download links are given at the end of this email. Please note this release marks the end of lifetime for MediaWiki 1.22 branch.

== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
  which could lead to xss. Permission to edit MediaWiki namespace is required
  to exploit this.
* (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in
  $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as
  part of its name.

== Bugfixes ==
* (bug T74222) The original patch for T74222 was reverted as unnecessary.
* Fixed a couple of entries in RELEASE-NOTES-1.24.
* (bug T76168) OutputPage: Add accessors for some protected properties.
* (bug T74834) Make 1.24 branch directly installable under PostgreSQL.
* Add missing $ in front of variable in OutputPage.php

== Security fixes in extensions ==
* (bug T77624) [SECURITY] Extension:Listings: missing validation in the 
  'name' and 'url' parameters.
* (bug T73111) [SECURITY] Extension:ExpandTemplates: parses user input
  as wikitext and shows a preview, yet it fails to add an edit token to
  the form and check it. This can be exploited as an XSS when 
  $wgRawHtml = true. Note this only affects the 1.19/1.22 branches.
* (bug T76195) [SECURITY] Extension:TemplateSandbox: 
  Special:TemplateSandbox needs edit token when raw HTML is allowed
* (bug T69180) [SECURITY] Extension:Hovercards: XSS in text extracts.
* (bug T73167) [SECURITY] Extension:Scribunto allows cross-origin 
  leakage of data from a wiki through timing
* (bug T71209) [SECURITY] Extension:TimedMediaHandler: Patch getid3 
  library for CVE-2014-2053.

Full release notes for 1.24.1:
<https://www.mediawiki.org/wiki/Release_notes/1.24>
  
Full release notes for 1.23.8:
<https://www.mediawiki.org/wiki/Release_notes/1.23>

Full release notes for 1.22.15:
<https://www.mediawiki.org/wiki/Release_notes/1.22>

Full release notes for 1.19.23:
<https://www.mediawiki.org/wiki/Release_notes/1.19>

Public keys:
<https://www.mediawiki.org/keys/keys.html>

**********************************************************************
    1.24.1
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz

Patch to previous version (1.24.0):
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-core-1.24.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.patch.gz.sig


**********************************************************************
    1.23.8
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.tar.gz

Patch to previous version (1.23.7):
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-core-1.23.8.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.23/mediawiki-1.23.8.patch.gz.sig


**********************************************************************
    1.22.15
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.tar.gz

Patch to previous version (1.22.14):
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-core-1.22.15.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.22/mediawiki-1.22.15.patch.gz.sig


**********************************************************************
    1.19.23
**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.tar.gz

Patch to previous version (1.19.22):
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-core-1.19.23.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.19/mediawiki-1.19.23.patch.gz.sig


Markus Glaser
(Wiki Release Team)



More information about the MediaWiki-announce mailing list